What is C:\WINDOWS\SysWOW64\WerFault.exe -u -p 10168 -s 1144?

Ameer Mane 21 Reputation points
2021-06-15T03:13:19.067+00:00

Hello All,

Good day!

We are seeing many command similar to C:\WINDOWS\SysWOW64\WerFault.exe -u -p 10168 -s 1144 and we are observing it is writing ".tmp" file in temp folder.

With my little knowledge and google search I got to know that this it windows error reporting tools. However, our EDR is highlighting this writing activity to temp folder as a malicious.

In regards to this , I would like you to help me to understand"

  1. What is meaning of C:\WINDOWS\SysWOW64\WerFault.exe -u -p 10168 -s 1144, I assume -p represents process ID. but would like to know details about the command.
  2. Is this normal activity?

Feel free to share more details on this apart from asked questions. :)

Regards,

Ameer Mane

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,728 questions
0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carl Fan 6,836 Reputation points
    2021-06-15T08:26:37.747+00:00

    Hi,
    1.The werfault.exe executable is an automatic error collection. If an error occurs when starting the application, the WerFault. Exe process starts automatically and collects error report data. You can stop the WER service in the service window.

    -u is username or user mode and -p is process ID, -s may be the session ID.
    https://helgeklein.com/blog/2021/03/anatomy-of-werfault-exe-application-crash-error-reporting/
    https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/
    2.Usually there is no problem with this.
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    0 comments
  2. Ameer Mane 21 Reputation points
    2022-06-11T13:39:22.85+00:00

    Thanks a lot @Castorix31 and @Carl Fan , it seems there are no details for "-s", But thanks for sharing good article.

    0 comments